添加acl配置文件

# vim acl.json
{
  "acl": {
    "enabled": true,
    "default_policy": "deny",
    "down_policy": "extend-cache"
  }
}

重啓consul

# docker restart consul_server

生成初始token

# consul acl bootstrap
AccessorID: edcaacda-b6d0-1954-5939-b5aceaca7c9a
SecretID: 4411f091-a4c9-48e6-0884-1fcb092da1c8
Description: Bootstrap Token (Global Management)
Local: false
Create Time: 2018-12-06 18:03:23.742699239 +0000 UTC
Policies:
00000000-0000-0000-0000-000000000001 - global-management

創建變量環境

# echo 'export CONSUL_HTTP_TOKEN=4411f091-a4c9-48e6-0884-1fcb092da1c8' >>/etc/profile
# source /etc/profile

創建agent token

創建agent策略

# vim agent-policy.hcl
node_prefix "" {
   policy = "write"
}
service_prefix "" {
   policy = "read"
}

此策略將允許註冊和訪問所有節點，並讀取任何服務

# consul acl policy create  -name "agent-token" -description "Agent Token Policy" -rules @agent-policy.hcl
ID:           5102b76c-6058-9fe7-82a4-315c353eb7f7
Name:         agent-policy
Description:  Agent Token Policy
Datacenters:
Rules:
node_prefix "" {
   policy = "write"
}

service_prefix "" {
   policy = "read"
}

創建agent令牌

# consul acl token create -description "Agent Token" -policy-name "agent-token"
AccessorID:   499ab022-27f2-acb8-4e05-5a01fff3b1d1
SecretID:     da666809-98ca-0e94-a99c-893c4bf5f9eb
Description:  Agent Token
Local:        false
Create Time:  2018-10-19 14:23:40.816899 -0400 EDT
Policies:
   fcd68580-c566-2bd2-891f-336eadc02357 - agent-token

服務端配置acl

把令牌添加到所有server.hcl

"primary_datacenter": "testkydhuabei2",
"acl": {
  "enabled": true,
  "default_policy": "deny",
  "down_policy": "extend-cache",
  "tokens": {
    "agent": "da666809-98ca-0e94-a99c-893c4bf5f9eb"
  }
}

重啓consul

# docker restart consul_server

檢測是否成功

# curl http://127.0.0.1:8500/v1/catalog/nodes -H 'x-consul-token: 4411f091-a4c9-48e6-0884-1fcb092da1c8'
[
    {
        "Address": "172.20.20.10",
        "CreateIndex": 7,
        "Datacenter": "kc",
        "ID": "881cfb69-2bcd-c2a9-d87c-cb79fc454df9",
        "Meta": {
            "consul-network-segment": ""
        },
        "ModifyIndex": 10,
        "Node": "fox",
        "TaggedAddresses": {
            "lan": "172.20.20.10",
            "wan": "172.20.20.10"
        }
    }]

客戶端配置acl

把令牌添加到所有client.hcl

"acl": {
  "enabled": true,
  "default_policy": "deny",
  "down_policy": "extend-cache",
  "tokens": {
    "agent": "da666809-98ca-0e94-a99c-893c4bf5f9eb"
  }
}

重啓consul

# docker restart consul_client

service token

服務註冊需要配置service token

# vim service.hcl
key_prefix "" {
  policy = "write"
  }
node_prefix "" {
   policy = "write"
   }
service_prefix "" {
   policy = "read"
   }
# consul acl policy create  -name "service-token" -description "Service Token Policy" -rules @service.hcl
# consul acl token create -description "Service Token" -policy-name "service-token"

參考鏈接：

https://learn.hashicorp.com/consul/security-networking/production-acls

https://www.wqblogs.com/2019/01/23/consul%E9%85%8D%E7%BD%AEacl/

https://kingfree.gitbook.io/consul/day-1-operations/acl-guide

琦彥博客專家

發佈了410 篇原創文章 · 獲贊 1345 · 訪問量 208萬+

他的留言板關注

consul配置acl：允許註冊和訪問所有節點，並讀取任何服務

添加acl配置文件

重啓consul

生成初始token

創建變量環境

創建agent token

創建agent策略

此策略將允許註冊和訪問所有節點，並讀取任何服務

創建agent令牌

服務端配置acl

重啓consul

檢測是否成功

客戶端配置acl

把令牌添加到所有client.hcl

重啓consul

service token

記一次 .NET某工業設計軟件崩潰分析

創建 Vue3 項目

TS + Webpack 整合 Jest

分享5款.NET開源免費的Redis客戶端組件庫

安卓手機如何登錄抖音境外版

golang開發 gorilla websocket的使用

面試官：如果不允許線程池丟棄任務，應該選擇哪個拒絕策略？

嵌入式汽車電子學習路線

Mac卸載 Node npm，升級 Node

uni.showModel內容換行

RabbitMQ精講1：主流MQ對比，爲什麼選擇RabbitMQ

常見面試問題1：ZooKeeper、Redis、Mysql、JVM、Spring、Dubbo

Kubernetes 控制器：從 Kubernetes 資源控制到開放應用模型、工作原理解讀

RabbitMQ精講5：深入RabbitMQ高級特性-限流、ACK、TTL和死信隊列

如何以非root用戶運行Docker容器

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結